[development] Geo-IP Modifications to 'watchdog' and 'statistics' modules

Dries Buytaert dries.buytaert at gmail.com
Tue Apr 18 17:25:43 UTC 2006

>> The screenshots look nice but the code looks a little dangerous as  
>> you're not
>> validating the input.  Hackers can inject XSS attacks.
> I'm not sure who the hackers would be, since this is on the admin  
> side of
> things, and my script only operates on the hostname that is already  
> in the
> SQL db.

If the server you 'curl' sends back malicious Javascript, they could  
hijack your session and take over your website.

> Yeah. This script, in the admin pages, only acts on whatever data  
> is in the
> watchdog 'hostname' field, which is an IP address placed there by  
> other
> parts of Drupal (as you know. ;)

MySQL tables in Drupal contain insecure data, including the watchdog  
and statistics tables.  Drupal cleans up the data "on output" (just  
before sending the data to the client).  Your code does not clean up  
the data, whereas the original code did.

Dries Buytaert  ::  http://www.buytaert.net/

More information about the development mailing list